“Anti-virus software isn’t going to save you, it’s only 60 per cent effective,” said Kevin Mitnick – the one time world’s most wanted hacker turned security expert – when addressing the crowd at this year’s IP Expo.
His keynote address, which opened the conference, placed great emphasis on the social engineering element of hacking – tricking users into giving away personal information.
During the talk Mitnick quickly demonstrated some on the easiest ways hackers can exploit people through social engineering to gain access to their data – by simply getting them to open an emailed Word or PDF document.
Both documents appeared as completely normal and safe to open, and even passed an anti virus scan. However, when opened the Word document could steal usernames and passwords and the PDF installed a trojan which could allow the computer to be taken over by the hacker, including switching on the webcam.
Mitnick’s security firm, Mitnick Security Consulting specialises in performing penetration tests for businesses. The firm has never failed when the client has allowed social engineering to be used, nor have any of Mitnick’s competitors that he has spoken to.
“You can have as much security as you want – but one guy makes a mistake it gives a foot in the door and from there access can be gained [to the whole network],” he said.
Furthermore, Mitnick explained how social networks, particularly LinkedIn, allow attacks to be targeted at specific individuals in a company who are most likely to open a document.
This enables the attack to not only target individuals who have no IT expertise but means their their connections can also be seen – who they are doing business with – so a hacker could then make it appear that the document is from a client or partner.
Mitnick also touched on his past as a hacker preceding his arrest in 1995 – before security became a big issue and penetration testing the norm for businesses. “I used to do free penetrations tests,” he joked, “now I charge but the difference is I have permission.”Leave a comment on this article